Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Researchers Warn of Serious SSH Flaws

The new flaws, found in several implemenations of the SSHv2 protocol, are especially dangerous in that they occur before authentication takes place.

Security researchers have discovered a set of vulnerabilities in several vendors implementations of the SSHv2 protocol that could give an attacker the ability to execute code on remote machines. The new flaws are especially dangerous in that they occur before authentication takes place.

The SSH (secure shell) protocol is a transport layer protocol that enables clients to connect securely to a remote server. Its often used for remote administration purposes.

Although the results of exploiting one of these vulnerabilities varies by vendor and vulnerability, attackers could, in some cases, run code on remote machines or launch denial-of-service attacks. Rapid 7 Inc., the New York-based security company that found the vulnerabilities, only tested SSHv2 implementations but said that some SSHv1 implementations may be vulnerable as well.

Most of the flaws involve memory access violations and all of them are found in the greeting and key-exchange phase of the SSH transmission. Among the vendors whose products are vulnerable are SSH Communications Security Inc., F-Secure Corp., InterSoft International Inc., and several others. However, both SSH Communications and F-Secure say that the vulnerabilities are not exploitable in their software.